Agent identity policy governs who or what is allowed to initiate action, while tool policy governs what that identity can reach once a request is made. Both must align, because a strong agent policy with weak tool policy still allows overbroad actions through permitted integrations.
Why This Matters for Security Teams
agent identity policy and tool policy are easy to blur together, but they solve different problems. Identity policy decides whether an agent is allowed to act at all, while tool policy decides which systems, endpoints, or functions that agent can touch once action is permitted. For autonomous workloads, that distinction matters because a valid identity does not automatically imply safe access.
Security teams often over-invest in agent authentication and under-specify tool-level guardrails, which leaves high-risk integrations open once a token is issued. That gap is visible across the NHI landscape: the Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, a pattern that becomes more dangerous when an agent can chain tools at runtime. Current guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework treats this as a policy separation problem, not just an access control problem.
In practice, many security teams encounter overbroad tool execution only after an agent has already used a permitted integration to reach data or actions that were never intended.
How It Works in Practice
Agent identity policy is the entry gate. It answers questions like: is this a sanctioned agent, is the workload authenticated, is the request originating from the expected environment, and is the action consistent with approved intent? Tool policy is the execution gate. It governs whether that identity may invoke a specific tool, action, scope, or dataset at request time. In a mature design, both policies are evaluated together, but they are authored and reviewed separately.
For example, an agent may be trusted to summarize incident data, but tool policy should still block write access to ticketing systems, secrets managers, or production APIs unless the specific task requires it. That is where workload identity and runtime authorisation matter. Instead of depending on static role assignments, teams are moving toward context-aware checks, JIT credentials, and short-lived tokens so the agent only receives the access needed for the current task. The Ultimate Guide to NHIs and the CSA MAESTRO agentic AI threat modeling framework both reinforce that identity governance alone does not stop tool misuse.
- Identity policy should validate the agent, its workload identity, and the approved operating context.
- Tool policy should constrain each tool by action, resource, time, and data sensitivity.
- Runtime checks should deny tool chaining when the combined effect exceeds the task intent.
- Logging should show both the agent identity decision and the downstream tool decision for auditability.
Good practice is to express these controls in policy-as-code so changes are reviewable and testable. These controls tend to break down when teams reuse human IAM roles for agents, because human roles rarely model autonomous tool chaining, bursty execution, or task-specific scope.
Common Variations and Edge Cases
Tighter tool policy often increases operational overhead, requiring organisations to balance task speed against blast-radius reduction. That tradeoff is real, especially where agents must call many services in sequence or operate across multiple business units.
There is no universal standard for this yet, but current guidance suggests separating policy ownership: platform teams often govern agent identity, while application or service owners govern tool access. That split helps avoid a common failure mode where one team approves the agent broadly and assumes downstream tool boundaries will be handled elsewhere. The 52 NHI Breaches Analysis shows how quickly identity sprawl becomes incident sprawl when permissions are not segmented.
Edge cases matter. A read-only tool can still become risky if it exposes prompts, configuration, or secrets that an agent can use to escalate elsewhere. Likewise, a narrowly scoped agent identity can still cause harm if the tool policy allows high-impact actions like code deployment, message sending, or secrets retrieval. Best practice is evolving toward intent-based authorisation, where the agent states what it is trying to do and the policy engine evaluates whether the specific tool call is consistent with that intent. In environments with legacy APIs, shared service accounts, or broad integration hubs, this model is harder to enforce and policy drift becomes more likely.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | NHI-03 | Agent and tool separation depends on limiting overbroad credentials. |
| CSA MAESTRO | MAESTRO models agent behaviour, tool chaining, and policy boundaries. | |
| NIST AI RMF | AI RMF supports governance for context-aware authorisation of agents. |
Define separate runtime checks for agent intent and tool scope before issuing any access token.
Related resources from NHI Mgmt Group
- What is the difference between patching a vulnerability and reducing identity blast radius?
- What is the difference between data governance and agent governance?
- What is the difference between human identity governance and AI agent governance?
- What is the difference between attack surface management and NHI governance?
